KQL Cheat Sheet: The Basics

Basic Syntax

• Use the | (pipe) operator to separate multiple commands.
• Use the let keyword to create variables.
• Use the where keyword to filter results.
• Use the project keyword to select specific columns.
• Use the summarize keyword to group and aggregate data.

Filtering Data

• where keyword: where ColumnName == "Value"
• in keyword: where ColumnName in ("Value1", "Value2")
• contains keyword: where ColumnName contains "Value"
• startswith keyword: where ColumnName startswith "Value"
• endswith keyword: where ColumnName endswith "Value"
• has keyword: where ColumnName has "Value"

Selecting Columns

• Use the project keyword to select specific columns: | project Column1, Column2, ...
• Use the extend keyword to add calculated columns: | extend NewColumn = Column1 + Column2

Aggregating Data

• summarize keyword: | summarize Aggregation(Column1), Aggregation(Column2) by Column3
• count keyword: | summarize count() by Column
• max keyword: | summarize max(Column) by Column2
• min keyword: | summarize min(Column) by Column2
• avg keyword: | summarize avg(Column) by Column2

Joining Data

• join keyword: Table1 | join kind=inner Table2 on Column1, Column2
• join with project: Table1 | join kind=inner Table2 on Column1, Column2 | project Column1, Table2.Column2
• join with summarize: Table1 | join kind=inner Table2 on Column1, Column2 | summarize Aggregation(Column1), Aggregation(Table2.Column2) by Column3